At a recent panel discussion on the future of digital, a couple of interesting arguments came up in the context of personal data protection. As readers may know, India doesn’t have a personal data protection law.
A nine-member bench of the Supreme Court unanimously judged personal data privacy was a fundamental right in the case of Puttaswamy vs Union of India in 2017. The Court recommended legislation be drafted to protect personal data.
A committee was formed under retired Justice B N Srikrishna to canvass opinion and draft appropriate legislation, and it submitted a draft Bill in July 2018. The government has since redrafted the proposed legislation multiple times. Each time, it has run into objections about the sweeping and vaguely defined powers it proposes to award itself to carry out surveillance and capture data. India continues to operate in this legal vacuum. It is a glaring lacuna, given the 750 million smartphone users. India’s per capita data consumption and the aggregated volume are the highest in the world.
The panellists waxed lyrical — insofar as serious men doing serious things can wax lyrical — about the potential of using data to generate growth, to deliver improved services, to impart efficiency to big business, and to enable small- and medium-sized businesses to climb the income ladder.
When the question of data-protection came up, one panellist, a senior partner at a major consultancy, said there was really no necessity for a personal data protection law since “responsible companies and institutions” would not misuse, or steal data. He admitted in passing that data should be used with consent. He also claimed that regulatory institutions like the Reserve Bank of India and fintech companies always used data with consent. Yes, he admitted, some businesses might misuse data but by and large, data was used by responsible entities.
Another panellist, an academic who has done great work helping retail outlets in Africa leverage their transaction data to grow, said that there is usually cross-border permeation of regulation in the digital domain. Assuming, for example, that the EU’s General Data Protection Regulation or GDPR is the best-in-class legislation, multinationals in the EU and corporations aspiring to work in the EU will build systems to comply with the GDPR. As a result, even if protections in other geographies are less (or non-existent in the case of India), the effective protection would be of GDPR levels.
A third panellist, who served on the Justice B N Srikrishna Committee, admitted he thought the iterations and redrafts of the last five years did not adequately protect individuals against government snooping, or businesses for that matter against government demanding their proprietary data.
The first argument — there is no necessity for a law — can be dismissed in the same way one would dismiss an argument that there is no need for a law prohibiting murder because responsible citizens don’t commit murder. What is amazing is that a consultant working with the biggest businesses and the government could make this argument, in apparent good faith. India has high instances of egregious data misuse and it’s possible the lack of legislation enables this.
The second argument about legal systems permeating across borders is much more nuanced. It can cut both ways. If a business is focussed on India with its massive data volumes and its high-growth markets and opportunities, it will develop practices that would not fly in the EU. That makes it hard for this hypothetical business to operate in better-protected markets. In a similar vein, global cloud service providers and data centre businesses are wary of locating to India because their clients in regions with better protection would be very unhappy.
Another question arises: How much of the projected growth is premised on India remaining a digital Wild West where businesses can draw and shoot their analytics guns without fear of the law? It’s a difficult question to answer.
Bad legislation may stymie growth, or enable digital Big Brother. But good legislation might enable growth without breach of privacy. In theory, India possesses institutions that could course-correct sub-optimal legislation. No legislation at all is, to put it politely, crazy.
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%